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The Snowden files: British intelligence agency describes attack on Anonymous 

GCHQ, the British signals intelligence agency, prepared the following slides for a 
top-secret conference in 2012, revealing that it had mounted an online attack on the 
hacktivist collective known as Anonymous in September 2011. 

The slides were leaked by former NSA contractor Edward Snowden and obtained 
exclusively by NBC News. 

NBC News is publishing the documents with minimal redactions to protect 
individuals. All annotations appear in the original documents prepared by GCHQ. 
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Hacktivism: Online Covert Action 

« Hacktivist groups 

• Online Humint 

• Effects Operations 
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Hacktivist groups 

• They are diverse and often have multiple, varied aims 

• Anonymous 

• LutzSec 

• A-Team 

• Syrian Cyber Army 

• Targets include: Corporations, banks, governments, 
copyright associations, political parties 

• Techniques: DDoS, data theft -SQLi, social engineering 
Aims: 
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Online HUMINT-CHIS 

< 2 Examples from Anonymous IRC Channels: 

• Gzero 

* POke 



TOP SECRET //COMINT//REL TO USA. AUS. CAR GBR. MZL 





investigations.nbcnews.com 



NBC NEWS INVESTIGATIONS 



Gzero 

Asking for traffic 

• Engaged with target 

Discovered Botnet with malware analysis & S1GINT 

• Outcome: Charges, arrest, conviction 
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ftOp erat ion Pa yba c k 

[11:36] Anyone here have access to a website with at Least 10,336+ unique 

traffic per day 

[11:27] <CHIS> admin access to it? 

[11:27] FTP actess/tPanel yes. 

Private Messages 

[11:28] <CHI£> eaybe, what do you want it for 
[11:28] the traffic rate? 

[11:23] ■■■it’ll help the Op 
[11:29] <CHLS> »ine got 27k per day yesterday (pr&n] 

[11:29] 

111 = 29 ] 

[11:33] <CHIS> here 

[11:32] Pretty Much it's a crypted iframe which will attempt to attack all PC's heading 

tOi that website. 

[11:32] If they have vuln software they're added to a net that is used for OP Paybacks 

ID DoS artillary 

31 [11 : 3 2] <CH1S> s a you will use exploit or some javascript thing? 

[11:32] 

[11:32] 

[11:33] 
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If they are not vuln then nothing happens 
Yes 

The frame is obfuscated ]S 
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GZero 



[1S:16] 

[15:16] 

[15:16] 

[15:16] 

[15:17] 

[15:17} 

[15:17} 

[15:17] 

[15: IE] 
[15:19] 
[15:19] 
[15:19] 

[15:21] 

[15:21] 

[15:21} 

[15:22] 

[15:22] 



<.GZero> yo 

<GZero works with me 

<GZero> i need traffic 
<CHIS> hey. 

<CHIS> what for? 

<GZero> exploit pack 
<GZero> will pay you if traffic is 
c&Zero u wanna talk? 



Infrastructure 
WHOIS: gzerol 



cGZ«ro> http : / /alpha „ b@x . su/ hit s . t xt - Need to make this bigger ;> 
<GZero> http://pastefcin.con/^^^H| - 35 for if name 



<G2ero> http://alpha.b0x.su/iqjtcoxoa.php Live URL 
«GZero> U have traffic? 

<CHIS> so What is at that page anyway? 
c GZero several exploits 

<CHIS> yeah I've got traffic, get 92k hits yesterday - 
<&zer®> ok 

< GZero lets talk :p 



1 st Stage implant: 

Lead to 2 nd stage & WARP EG 
botnet, Spy Eye malware 
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Online Humint - Gzero 



JTRIG & SIGINT reporting lead to identification, arrest 

Sentenced for 2 years - April 2012 

Hacker jailed for stealing 8 million 
identities 

£*■1 jfcstt - psta 

Summary. 1 ,4 Jsacir- fes bt^er. sc-.arxrd ro firciroff MojDcaFcfdfefcczscnTK 

2 . ~i>j ic - i. card jg &*-?.. <s aratl <u; rorars. dslts afbrrT?.. oncf pcsK&irs naiA rs*. 

25-»rear-E*d 2 HHW" rf r&b., 

Errand. .tJ gserxl MTWt and trea wartta 
behind b-jr-5 for Ns NacSsr-d sp'ee The ■ser^ De 
•.hJH ba.* been orta&w £ fts rude ran ust of 
hog* «f Eider 4*i 

Tt*i Srtih -Kr'r used d* Zeus srd Sjrnt.Ki 
Txcjint bs- s«( [Cr*d*rttia? data fits* ux vidj«w 
befciwp tertftv 1 . 3030 . yfJvevfi 3 ft. 2 »i: r 
from an untSsdcsed sau'r®. Cfc Ns a-cr&^jtri 
PM« fat**) ZOftOOO PMfcat Krausi*. I,?03 
tars tird n>ufi**rS. as WtB iSJCtt 0.474 rjmts, 
dates -rf t.rth. and postcodes cf U.k. tss darts. If a£ 

0-4 drtaSs t# afrac tc had harvested ruree printed 
M, (| raft £i 67^00 *■> page* 
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pOke 

Discussing a database table labelled 'FBI', in Anon Ops IRC 

• Engaged with target - exploiting US Government website, 
US company website 

POperat ionPayback 

[ 19 : 40 ] Topiary: I has List of email: phonenurnber:nane of 708 FBI tards 

[19:40] cgpBke> : P 

[19: 41 j <Topiary> what about passwords? 

[19:41] <SpBke> It was dumped from another gov db, Topiary 
[19:41] <gpeke> A table named fbi 

[19:42} <Topiary> ah, like an FBI affiliated contact userbase? 

[19:42] <rSpfike> that was all It contained D: 
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pOke 

Private messages 

[20: 34] so what was the site?! 

[20:3J] if its special ;> 

[20:94] <p0ke> usda.gov 

[20r93] HHH : ( - did you get past the site db tho? 
[20:99] <p&keWe2 

[20:13] so u had a poke around on the network? lol 

[20:13] <p0ke> neh a iil 

[20; 13] <p0ke> Master card : ^ i 1 . hou se.gov 

[20:13] <p0ke> IHPAjC ^ ocar. array. pentagon. mil 
[20:13] <p0ke> VISA: na il . af -*i 1 
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POke 



Identification 





...Enabled S1GINT 

POke: 

Name: 

Facebook, email accounts 
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Effects on Hacktivisim 

• Op WEALTH - Summer 2011 

• Intel support to Law Enforcement -identification of top 
targets 

• Denial of Service on Key Communications outlets 

• Information Operations 
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DDoS 

• ROLLING THUMDER 

• RT initial trial info 




[15:40] <sre«der> hello j, was. there any pcebles* with the lrc network? i was it able to connect the 
past 30 hours, 

[15:42] <speafteasy> yeah 

[15r42] <speafceasy> we "re being hit by a syn flood 

[16:44] <speafceasy> 1 didn’t know whether to quit last night., because of the ddos 

anon_arwnz 

?c anonops !i Lango down i 



anon^anonx 

raSpHjgbDefenrtwn inooce the typot on YouTube anon _amn z on 
(witter nickname iftMttfiude 



anon_anonz 

are anonops li backup anonaps a^tsec 



m 
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10 Outcome 



CHIS with( 

80% of those messaged where not in the IRC channels 1 
month later 
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Conclusion 



Team working -SI 6 1 NT, JTRIG, CDO, INOC- was key to 
success 

Online Covert Action techniques can aid cyber threat 
awareness 

• Effects can influence the target space 
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